Before we can set up a client/server VPN, we need to set up the Public Key Infrastructure (PKI) first. The PKI comprises the Certificate Authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file that is required for perfect forward secrecy.
For setting up the PKI, we make use of the
easy-rsa scripts supplied by the OpenVPN distribution itself.
The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separated from the rest of the OpenVPN services. One option is ...